topic Re: How to search for url fields that only contain IP address in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297693#M89831 <P>Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.</P> <P>not so much hope on being faster</P> <PRE><CODE>index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})") </CODE></PRE> <P>OR dirty workaround</P> <PRE><CODE>index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10) | mvexpand q | eval r=mvrange(0,10) | mvexpand r | eval s=mvrange(0,10) | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url] </CODE></PRE> Thu, 06 Jul 2017 21:30:28 GMT somesoni2 2017-07-06T21:30:28Z How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297689#M89827 <P>I'm trying to do a search that will show me only IP address for the field url,</P> <P>example = sourcetype=fakename url=(only field that has IP address in it 1.1.1.1 or 1.1.1.1/index) </P> <P>Do you know what i can use for the url field that will only give me ip address?</P> Thu, 06 Jul 2017 16:36:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297689#M89827 mrtolu6 2017-07-06T16:36:31Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297690#M89828 <P>Try like this</P> <PRE><CODE>index=foo sourcetype=bar | regex url=".+(\d{1,3}\.}{3}\d{1,3}).*" </CODE></PRE> Thu, 06 Jul 2017 16:39:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297690#M89828 somesoni2 2017-07-06T16:39:37Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297691#M89829 <P>Note - This solution answers the question in the title - what will eliminate all records that do not have an IP somewhere in the url field. I'm not absolutely sure that's what the OP is asking, but I'm not sure it's not.</P> <P>@mrtolu6 - If you only want url values that START with an IP, like your examples, then replace the <CODE>.+</CODE> with <CODE>^</CODE></P> Thu, 06 Jul 2017 17:43:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297691#M89829 DalJeanis 2017-07-06T17:43:35Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297692#M89830 <P>This, seems to run slow when i run this, do you know another search i can run to get the IP addressw</P> Thu, 06 Jul 2017 20:01:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297692#M89830 mrtolu6 2017-07-06T20:01:35Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297693#M89831 <P>Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.</P> <P>not so much hope on being faster</P> <PRE><CODE>index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})") </CODE></PRE> <P>OR dirty workaround</P> <PRE><CODE>index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10) | mvexpand q | eval r=mvrange(0,10) | mvexpand r | eval s=mvrange(0,10) | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url] </CODE></PRE> Thu, 06 Jul 2017 21:30:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297693#M89831 somesoni2 2017-07-06T21:30:28Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297694#M89832 <P>none of these seems to work.</P> Mon, 10 Jul 2017 12:54:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/297694#M89832 mrtolu6 2017-07-10T12:54:59Z Re: How to search for url fields that only contain IP address https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/519789#M146385 <P>This will output only things where the url looks like an ip address.</P><LI-CODE lang="markup">sourcetype=fakename | where match(url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")</LI-CODE> Tue, 15 Sep 2020 20:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-url-fields-that-only-contain-IP-address/m-p/519789#M146385 automayt 2020-09-15T20:49:57Z